Category: DNSSEC

May 01

Confirmed – Google’s Public DNS Now Performs DNSSEC Validation For ALL Queries By Default

Google logoIt’s official… Google’s Public DNS service is now performing DNSSEC validation for all DNS queries by default!

When news broke back on March 19 that Google had enabled DNSSEC validation on its Public DNS service, there was some initial concern after people noticed that Google was only performing the DNSSEC validation when requested. This led to a clarification a few days later from Google that their initial rollout required a client to request DNSSEC validation so that they could test out the service – and that full validation was coming soon.

The Official Word

Yesterday, Google’s Warren Kumari posted in the dnssec-deployment mailing list that full validation IS now happening:

We have recently enabled validation by default globally, and you should now get SERVFAIL for validation failures.  Apologies again for the original, unclear announcement.

The blog / documentation has not been updated yet (that will probably happen in the next few days) but we wanted to give you the good news as soon as possible.

And indeed a quick test to see if I could get the DNS records for a test domain known to have a bad DNSSEC signature did produce the expected “SERVFAIL” message and correctly did not return any DNS records:

$ dig @8.8.8.8 www.dnssec-failed.org

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 www.dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60286
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.dnssec-failed.org.        IN    A

This is great news for those of us who are advocates of DNSSEC and means that anyone using Google’s Public DNS servers for DNS name resolution are now automatically receiving the greater security of DNSSEC. Anyone using those servers will know that (for signed domains) the information they are getting out of DNS is the same information that the domain operator put into DNS – and not that of an attacker seeking to have you go to some other site.

If you, too, want to gain access to the increased security of DNSSEC, all you have to do is configure your computer or home router to have as its DNS servers the Google Public DNS servers:

8.8.8.8
8.8.4.4

2001:4860:4860::8888
2001:4860:4860::8844

That’s it!

Moving DNSSEC Validation Even Closer

As awesome as this move by Google is (and it is awesome), you could still increase the security provided by DNSSEC a bit more.  Because Google’s Public DNS servers are not on your local network and are rather somewhere out across the Internet, there is still a chance that an attacker could insert himself or herself between you and Google’s DNS servers.  The attacker could then pretend to be sending you back the correct information and masquerading as Google’s Public DNS servers.

To get the highest level of DNSSEC security, you ideally want to be performing the DNSSEC validation on at least your local network and potentially even your local computer. There’s a great whitepaper out from the folks at SURFnet called “Deploying DNSSEC: Validation on recursive caching name servers” that explains how you can simply enable DNSSEC validation for three of the common DNS servers used by enterprises and networks today.

Hey, if Google can enable DNSSEC validation, why can’t you?

If you can’t do DNSSEC validation locally (for example, if you only have a home WiFi router that doesn’t perform validation) then getting the validation performed at your ISP may be the next step… and if your ISP won’t do DNSSEC validation then you really have no other choice but to use a service like Google’s Public DNS services. Their DNSSEC validation is definitely far better protection than none at all!

Again, kudos to Google’s Public DNS team for taking this step and we look forward to the day when all DNS resolvers just perform DNSSEC validation automatically.

 

Apr 30

Can DNSSEC and DANE Help Make Voice-over-IP (VoIP) and Unified Communications (UC) More Secure?

Can DNSSEC help make voice and video communications over IP more secure?  Could DNSSEC combined with DANE provide a means to more easily distribute the TLS/SSL certificates needed for VoIP phones and systems?  Can DNSSEC help ensure that you are talking with the correct VoIP system or application server?  Can DNSSEC improve the security of the many WebRTC-based clients being developed? How can a DNS-based public key infrastructure (PKI) help improved the security of IP-based communications?  (whether you call it “VoIP”, “unified communications”, “real-time communications” or just simply “telecommunications”)

These were among the questions that I set out to address in a presentation at the SIP Network Operators Conference (SIPNOC) 2013 last week in Reston, Virginia. Speaking to network operators ranging from large carriers and telcos to smaller “over-the-top (OTT)” startups, I used this set of slides to frame the discussion:

I also spoke about how two VoIP software products have already incorporated DNSSEC – the Jitsi softphone and the Kamailio server – and mentioned the new “DNSSEC and IP-based Communications” resource page I’m starting to build (and for which I would appreciate any suggestions).

I don’t necessarily have the “answers” to these questions (although I have opinions :-) )… I was more starting to raise the questions. The DNS community has been building this mechanism (DNSSEC) that provides a “trust layer” and can increase the security of DNS, as well as, via DANE, the entire TLS/SSL certificate infrastructure that we have come to rely upon.  How can we use these improvements to increase the security of IP communications?

For some further context, you may be interested in this recording I made on the topic:

I think there could be some good potential benefit here – and I’m looking forward to further discussions on this topic in the weeks and months ahead.  I’d love to hear your thoughts… either as comments to this post on our site or in social networks … or via direct email to me.

How could we use DNSSEC to increase the overall security of our communications infrastructure?

 

P.S.  I’ll also be appearing on the VoIP Users Conference (VUC) podcast on this coming Friday, May 3, 2013, to discuss these ideas within that community (to which anyone is welcome to join in). More details soon… 

Apr 25

DNSSEC and IP Communications (including VoIP, UC, RTC, SIP)

This page will serve as a repository of information related to how DNSSEC and DANE can work with communications protocols based on IP, including voice-over-IP (VoIP), unified communications (UC). real-time communications (RTC) and the use of the Session Initiation Protocol (SIP).

Documentation

  • (need to identify any documentation on this topic)

Presentation Slides

Communities

There is a good amount of discussion about DNSSEC happening in various DNSSEC communities around the Internet although at the current time there is no specific area focused on VoIP and DNSSEC.

Softphones

We are aware of the following softphones that support IPv6:

Communications Equipment and Software

Beyond softphones, we are aware of the following equipment that supports IPv6.

Additional resources will be added to this page as we become aware of them.

Know of additional resources related to IPv6 and IP communications that we should list?  Please let us know!

Apr 23

Video – DNSSEC Deployment In The .GOV TLD (LISA 2012)

How did the deployment of DNSSEC go within the .GOV top-level domain? What kind of errors were found in the deployment?  What lessons were learned?  If they could start it all again, what would they do differently?

These were all questions discussed by Scott Rose of the US NIST in a talk last December at LISA 12 (where we had ION San Diego) titled “DNSSEC Deployment In The .GOV TLD“.   As we can know from NIST’s own statistics it was a long road to get DNSSEC deployed – but the latest stats now show around 81% of all .GOV domains being signed.

Scott’s talk is quite good and offers some good lessons for anyone interested in rolling out DNSSEC in a very large organization or community.  From the LISA 12 presentation page, you can either watch the video or listen to the audio.

DNSSEC in .GOV

Apr 19

Congratulations to Thailand and the Christmas Islands on their DNSSEC-signed TLDs

dnssecCongratulations to both the Christmas Islands and Thailand for the DNSSEC-signing of two more top-level domains (TLDs):

  • .CX   (Christmas Islands)
  • .ไทย  (Thailand)

In the case of Thailand, their .TH domain was already signed with DNSSEC, but this is now the internationalized domain name (IDN) for .TH.

These two new signed TLDs bring the count to 104 out of 317 TLDs according to ICANN’s TLD report.

Great to see!  (and a tip of the hat to Jeff Moss for tweeting out this news.)

P.S. To understand more about IDNs, Wikipedia has a useful article.

Apr 17

Speaking at SIPNOC Next Week About IPv6 and DNSSEC With VoIP

SIPNOC 2013 logoInterested in how voice-over-IP (VoIP) can work with IPv6? Want to know how DNSSEC can add a layer of security to VoIP?  Next week I’ll be speaking on these precise topics at the SIP Network Operators Conference (SIPNOC) sponsored by the SIP Forum and happening in Herndon, Virginia.

SIPNOC is an excellent conference that I’ve very much enjoyed over the past few years that brings together many of the key players involved with moving our telecommunications infrastructure from its PSTN roots into the world of IP communications. Its target is operators and so you have a good number of people there who are providing VoIP services to customers – typically using the SIP protocol.  The schedule is always an interesting mix of operational best practices, security concerns, new technologies, policy and other topics.  This year it’s good to see WebRTC being on the agenda in several places, as that will have an effect on the overall VoIP infrastructure.  (FYI, there is still time to register to attend the SIPNOC event.)

As shown on the SIPNOC schedule, I’ll be participating in these sessions:

IPv6 And SIP – Myth or Reality?
Wednesday, April 24, 10:45-11:45am

In this session we’ll be exploring what is really going on with VoIP and IPv6 and seek to answer questions such as:

  • What’s going on with SIP over IPv6?
  • What are the main challenges to using SIP with IPv6?
  • What do we know about the status of current equipment working with IPv6?
  • What are the SIP Forum and others in the industry doing to help advance the state of the art?
  • Where do we see SIP and IPv6 going?

I’m very much looking forward to the session and have several panelists joining me in a discussion-style panel that should be quite educational and interesting.

Who are You Really Calling? How DNSSEC Can Help
Thursday, April 25, 9:30-10:00am

My goal with this session is to explain what DNSSEC is all about and to look at how it can potentially help to secure a few aspects of VoIP communication.  As I wrote in the abstract:

When Alice calls Bob, how does she know that she is really communicating with Bob’s SIP server? Sure, her software grabs a SRV record for Bob’s server from DNS, but how does Alice’s systems know whether that is the *correct* DNS record for Bob’s server? What if an attacker were able to inject DNS records that redirect Alice’s call to another system? What if there were a way that the SIP endpoints could be certain about the address of the other system they want to call?

I’ll also be talking about the Jitsi softphone that now supports DNSSEC as I wrote about in the past and more recently interviewed Emil Ivov, the Jitsi project lead.  I hope to get some people thinking about the possibility of using DNSSEC and looking into how it can work more with their VoIP infrastructure.

Beyond those sessions, I’ll also be engaging the “VoIP security” side of my background and moderating two sessions on Monday, April 23:

  • 5:15-6:15pm – Panel Discussion:  Anatomy of  a VoIP DMZ
  • 7:30-8:30pm – VoIP Security Birds-of-a-Feather (BOF)

The BOF, in particular, should be interesting as last year it was a very frank and open conversation between operators about the security issues they were facing.  Much good information – and solutions – were exchanged.

I’m very much looking forward to this event and if you are going to be at SIPNOC please do say hello.

At the current time the event is not being livestreamed, but I’m planning to record at least my sessions and make the video available through the Deploy360 YouTube channel.

Apr 12

Last Day To Submit Comments To ICANN About The DNSSEC Root Key Rollover

ICANN.jpgAs we mentioned previously in both a blog post and an audio commentary, today, April 12, 2013, is the last day to weigh in with comments to ICANN about the rollover process of the DNSSEC Root Key-Signing Key (KSK). We strongly encourage you to read ICANN’s request for public comment and the comments already submitted … and then submit your own via the email address in the public consultation notice.  Even if to some degree you are just amplifying what others have already said, that is worthwhile and helpful to ICANN to get a sense of public sentiment among those who care about this issue.

There’s just a few more hours…

Apr 10

Video: Advancing the Network – Where We’ve Been, Where We’re Headed (ION San Diego)

Where is the Internet going? What comes next with regard to IPv6, DNSSEC and other technologies? At our ION San Diego event on December 11, 2012, we had a great panel session called “Advancing the Network – Where We’ve Been, Where We’re Headed” where we explored exactly these issues.

Moderated by Shumon Huque of the University of Pennsylvania, the panelists included:

  • Ron Broersma (DREN)
  • Paul Ebersman (Infoblox)
  • Paul Mockapetris (Nominum, Inc.)
  • John Spence (nephos6)

You can now watch the video and hear their views as well as the points raised by audience members:

Apr 09

Reminder – Livestream of ICANN46 DNSSEC Workshop Happening Now

ICANN 46 logoAs we mentioned previously the DNSSEC Workshop happening right now at ICANN 46 in Beijing, China, is being streamed live out on the Internet using Adobe Connect. You can view the slides and video and listen to the audio by following the links off of:

http://beijing46.icann.org/node/37125

It is also being recorded so you can view it later. It should be an excellent session for those interested in DNSSEC.

The workshop has already started here in Beijing and will be continuing for the next 6 hours.

Apr 09

Use Reddit and interested in DNSSEC? Subscribe to the ‘dnssecurity’ subreddit

reddit-dnssecurityIf you are a Reddit user interested in DNSSEC, there is now a subreddit focused on “DNS security” at:

http://www.reddit.com/r/dnssecurity/

Please do subscribe and comment – and also please feel free to contribute links to any articles or resources out there related to DNSSEC, DANE or other topics related to DNS security.

P.S. There’s also a subreddit for IPv6, too.